Tesla Model S Hack Could Let Thieves Clone Key Fobs to Steal Cars

Despite having proper security measures in place to protect the driving systems of its cars against cyber attacks, a team of security researchers discovered a way to remotely hack a Tesla Model S luxury sedans in less than two seconds.

Yes, you heard that right.

A team of researchers from the Computer Security and Industrial Cryptography (COSIC) group of the Department of Electrical Engineering at the KU Leuven University in Belgium has demonstrated how it break the encryption used in Tesla’s Model S wireless key fob.

With $600 in radio and computing equipment that wirelessly read signals from a nearby Tesla owner’s fob, the team was able to clone the key fob of Tesla’s Model S, open the doors and drive away the electric sports car without a trace, according to Wired.

“Today it’s very easy for us to clone these key fobs in a matter of seconds,” Lennert Wouters, one of the KU Leuven researchers, told Wired. “We can completely impersonate the key fob and open and drive the vehicle.”

Tesla’s Key Fob Cloning Attack Takes Just 1.6 Seconds

Like most automotive keyless entry systems, Tesla Model S key fobs also work by sending an encrypted code to a car’s radios to trigger it to unlock the doors, enabling the car to start.

However, the KU Leuven researchers found that Tesla uses a keyless entry system built by a manufacturer called Pektron, which uses a weak 40-bit cipher to encrypt those key fob codes.

The researchers made a 6-terabyte table of all possible keys for any combination of code pairs, and then used a Yard Stick One radio, a Proxmark radio, and a Raspberry Pi mini-computer, which cost about $600 total—not bad for a Tesla Model S though—to capture the required two codes.

With that table and those two codes, the team says it can calculate the correct cryptographic key to spoof any key fob in just 1.6 seconds. To understand more clearly, you can watch the proof of concept video demonstration which shows the hack in action.

The team reported the issue to Tesla last year, but the company addressed it in June 2018 by upgrading the weak encryption. Last month, the company also added an optional PIN as an additional defense.

Tesla Paid $10,000 Bounty to the Researchers

After the story broke, Tesla was criticised on Twitter for using a weak cipher, though a member of the KU Leuven team appreciated Tesla for quickly responding to their report and fixing the issue,, on the same time, accused other vehicle makers using keyless entry tech from the same vendor and ignoring reports.

“Everybody is making fun of Tesla for using a 40-bit key (and rightly so),” Cryp·tomer tweeted. “But Tesla at least had a mechanism we could report to and fixed the problem once informed. McLaren, Karma, and Triumph used the same system and ignored us.”

Tesla paid the KU Leuven team a $10,000 bounty and plans to add the researchers’ names to its Hall of Fame.